A group of researchers have uncovered
a security vulnerability in the Google Glass platform which could allow
attackers to hijack devices with specially-crafted QR codes.
Security firm Lookout said that it has
found a method for covertly taking control of Google Glass headsets by
exploiting flaws in the way Glass interacts with the photographic codes.
According to Lookout, Google Glass is
able to use QR codes to change its configurations, such as connecting to
Wi-Fi networks automatically. Though the feature in intended to allow
users to easily manage devices while on the move, researchers also worry
that it could be exploited by hackers.
“While it’s useful to configure your
Glass QR code and easily connect to wireless networks, it’s not so great
when other people can use those same QR codes to tell your Glass to
connect to their WiFi Networks or their Bluetooth devices,” Lookout said
in its report.
“Unfortunately, this is exactly what we
found. We analyzed how to make QR codes based on configuration
instructions and produced our own 'malicious' QR codes.”
By exploiting the security loopholes,
which have since been fixed by Google, the researchers were able to
automatically connect devices to a 'hostile' wireless network. Once
connected, the researchers were able to eavesdrop on web browsing
activity, capture images which were being uploaded to the web and
reconfigure devices to access attack sites which exploit Android
security vulnerabilities.
The company said that it privately reported the flaw to Google in May and a fix for the flaw was released in early June.
“Google clearly worked quickly to fix the vulnerability as the issue was fixed by version XE6, released on June 4th,” the company said.
“Lookout recommended that Google limit QR
code execution to points where the user has solicited it. Google’s
changes reflected this recommendation.”
The vulnerabilities will likely not be
the last such flaws to be spotted in Google Glass as the platform
proceeds with its closed public beta. The platform has been available on
a limited basis to developers and is tentatively set for release at the
end of the year.
No comments:
Post a Comment